Question ID:
2018_4415
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
5
Type of submitter:
Other
Subject Matter:
Dynamic linking for batch transactions
Question:

In relation to payment transactions for a batch of remote electronic payments to one or several payees, please clarify whether the payer needs to be made aware of every payee in the batch?

Background on the question:

Paragraph 3b of Article 5 stipulates that, in relation to payment transactions for which the payer has given consent to execute a batch of remote electronic payment transactions to one or several payees, the authentication code shall be specific to the total amount of the batch of payment transactions and to the specified payees.

Paragraph 1 of Article 5 stipulates that payment service providers shall adopt security measures to ensure that the payer is made aware of the amount of the payment transaction and of the payee.

Batch transactions might consist of a large number payments, so that it is impractical for a payer to be made aware of every payee in the batch during the payment authentication process.

Date of submission:
11/12/2018
Published as Final Q&A:
20/12/2019
EBA Answer:

Article 5(1)(a) of the Commission Delegated Regulation (EU) 2018/389 states that “where payment service providers apply strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/2366, in addition to the requirements of Article 4, they shall adopt security measures that meet”, among others, the following requirement: “a) the payer is made aware of the amount of the payment transaction and of the payee”. This means that the payer should be able to check the payees list, included in the batch of remote payment transactions, should the payer wish to do so.

Article 5(3)(b) of the Delegated Regulation, in turn, states that “in relation to payment transactions for which the payer has given consent to execute a batch of remote electronic payment transactions to one or several payees, the authentication code shall be specific to the total amount of the batch of payment transactions and to the specified payees”. As clarified in Q&A 2018_4435, this means that the payment service provider should dynamically link the authentication code for a batch of remote electronic payment transactions to every single payee included in that batch.

Q&A 2019_4556 provides further details on the identification of the payee and the generation of the authentication code.

Status:
Final Q&A